writeowner

MACHINE Windows

HackTheBox: StreamIO

A Windows box mixing web and AD: a SQL injection on search.php dumps and cracks user hashes, an LFI/RFI chain gives an IIS shell, a backup database cracks nikk37 for WinRM, decrypted Firefox passwords yield JDgodd, and WriteOwner over CORE STAFF reads a LAPS password for Administrator.

MACHINE Windows

HackTheBox: TombWatcher

A Windows DC of pure AD permission abuse: from henry, WriteSPN targets alfred for Kerberoasting, INFRASTRUCTURE membership reads a gMSA password, a ForceChangePassword/WriteOwner/GenericAll chain reaches john over WinRM, then restoring a deleted cert_admin from the AD Recycle Bin and an ESC15 certificate template give Administrator.